Vault secrets

Gafaelfawr uses secrets stored in Vault and uses Vault Secrets Operator to materialize those secrets in Kubernetes.

The secrets marked autogenerated are automatically generated by the Phalanx secrets management tooling. See Phalanx secrets management for more information about how secrets are managed in Phalanx. Other secrets will need to be provided in the static secrets source used by the relevant Phalanx environment.

bootstrap-token (autogenerated)

A Gafaelfawr token created with gafaelfawr generate-token (CLI command). Used to create service tokens, initialize admins, and do other privileged operations. See Bootstrapping for more information.

cilogon-client-secret

The CILogon secret, obtained during client registration as described above. This is only required if you’re using CILogon for authentication.

database-password

The password to use for the PostgreSQL database. This should be set to a long, randomly-generated alphanumeric string.

github-client-secret (optional)

The GitHub secret, obtained when creating the OAuth App as described above. This is only required if you’re using GitHub for authentication.

ldap-keytab (optional)

The Kerberos keytab used for Kerberos GSSAPI binds to an LDAP server. This should be the file contents of a keytab file encoded in base64 without line wrapping, using a command such as base64 -w 0 < keytab-file. Only used if LDAP lookups are enabled and a Kerberos configuration is provided. See LDAP for more information.

ldap-password (optional)

The password used for simple binds to an LDAP server. Only used if LDAP lookups are enabled and simple binds are configured. See LDAP for more information.

oidc-client-secret (optional)

The secret for an OpenID Connect authentication provider. This is only required if you’re using generic OpenID Connect for authentication.

oidc-server-secrets (optional)

Only used if the Helm chart parameter config.oidcServer.enabled is set to true. The JSON representation of the OpenID Connect clients. Must be a JSON list of objects, each of which must have id and secret keys corresponding to the client_id and client_secret parameters sent by OpenID Connect clients. See Configuring OpenID Connect for more information.

redis-password (autogenerated)

The password to use for Redis authentication. This should be set to a long, randomly-generated alphanumeric string.

sentry-dsn (optional)

Sentry DSN URL to which to send telemetry information if Sentry is enabled. Required if config.enableSentry is set to true.

session-secret (autogenerated)

Encryption key for the Gafaelfawr session cookie. Generate with gafaelfawr generate-session-secret (CLI command).

signing-key (optional, autogenerated)

Only used if the Helm chart parameter config.oidcServer.enabled is set to true. The PEM-encoded RSA private key used to sign internally-issued JWTs. Generate with gafaelfawr generate-key (CLI command).

slack-webhook (optional)

Only used if the Helm chart parameter config.slackAlerts is set to true. The Slack incoming webhook URL to which to post alerts. See Slack alerts for more information.